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Alternative  Trace  Axioms  for  the  WHILE  Construct 


/’'VNE  FAMILIAR  AND  TRIVIAL  FACT  about  formal  logic  is  that  an  inference  may  be  easy 
to  derive  in  one  proof  system  but  difficult  to  derive  in  a  second,  equivalent  system.  It  is 
therefore  not  surprising  that  some  programs  are  more  difficult  to  prove  correct  using  Hoare  logic 
than,  for  example,  dynamic  logic,  and  vice-versa.  It  would  be  good  to  have  a  single  logic  of 
programs  that  made  correctness  proofs  easy  in  all  cases,  but  this  is  too  much  to  hope  for,  since 
any  finite,  reasonably  rich  axiomatic  system  will  have  theorems  that  can  only  be  derived  by  means 
of  lengthy  proofs.  Still,  one  can  hope  to  make  a  certain  amount  of  progress  toward  the  desired 
end  before  encountering  the  point  of  diminishing  marginal  returns.  The  usual  area  of  difficulty  in 
any  verification  proof  is  proving  that  repetition  constructs  (such  as  loops  and  recursion)  behave 
as  they  were  intended.  In  view  of  this,  the  present  report  focuses  on  different  ways  to  handle  the 
archetypal  loop  construct:  while. 

In  [6]  John  McLean  presents  a  programming  language  semantics,  the  extended  trace  language, 
based  on  the  trace  specification  language  described  in  [5].  The  simple  programming  language 
discussed  in  [6]  contains  the  while  construct,  and  McLean  gives  this  construct  a  natural  and 
correct  recursive  treatment.  In  this  report  I  will  show  that  it  is  possible  to  use  the  extended  trace 
language  to  give  the  while  construct  two  other  quite  different  semantic  treatments.  One  of  these 
is  based  on  the  Hoare-style  semantics  for  while;  the  second  is  an  alternative  to  the  recursive 
axiom  that  could  be  used  in  cases  where  the  verifier  can  discern  at  what  point  a  given  loop  will 
terminate.  It  is  significant  that  when  using  the  extended  trace  language  a  verifier  of  software  can 
choose  from  several  different  but  equivalent  semantic  treatments  of  while.  The  ability  to  choose 
an  axiom  for  while  that  fits  the  problem  at  hand  makes  the  extended  trace  language  an  attractive 
software  verification  formalism. 

I  The  trace  specification  language 

The  trace  language  provides  for  the  specification  of  software  modules  in  terms  of  the  effects,  such 
as  return-values,  that  the  user  sees  when  executing  a  sequence  of  procedure  and  function  calls. 
These  sequences  are  called  traces. 

A  trace  specification  consists  of  a  syntax  section  and  a  semantics  section.  The  syntax  section 
states  the  name  and  parameter  types  of  each  of  the  module’s  procedures  and  the  name,  parameter 
types,  and  return-value  type  of  each  of  the  module’s  function  calls.  The  semantics  section  contains 
axioms  formalized  in  a  many-sorted  language  of  first-order  logic  with  identity,  with  one  set  of 
variables /?,/?i,/?2,  ...5,  St,  S2,  ...T,  TuTz,...  to  be  understood  as  ranging  over  traces.  In  addition 
to  the  usual  logical  connectives  there  is  an  interpreted  binary  function  symbol  (.),  which  serves  as 
a  notation  for  concatenating  trace  terms.  If  X  is  a  trace  variable,  the  empty  trace  e.  a  procedure 
call,  or  a  function  call,  then  X  is  a  well-formed  trace  term;  if  X  and  Y  are  well-formed  trace  terms, 
then  ( X.Y)  is  a  well-formed  trace  term.  Nothing  else  is  a  weli-formed  frace  term.  A  function 
(procedure)  call  is  a  function  (procedure)  name  followed  by  the  requisite  number  of  parameters 
of  appropriate  types.  In  place  of  a  formal  axiom  of  associativity  for  concatenation  I  adopt  the 
convention  of  dropping  the  parentheses  around  the  subterms  of  a  trace  term 

The  axioms  that  appear  in  the  semantics  section  of  a  trace  specification  state  or  entail  infor¬ 
mation  about  which  traces  are  legal  and  about  the  values  returned  by  legal  traces  that  end  with 
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function  calls.  The  legality  predicate  and  the  value  function  are  usually  formalized  using  the 
unary  predicate  symbol  L  and  the  unary  function  symbol  V,  respectively.  One  additional  and  very 
handy  piece  of  notation  is  trace  equivalence  (=),  defined  as  follows:1 

5  s  T  =df  V/?  [(L(S.R)  ~  L(T.R))  A  (R  ?  e  ~  (3  xV(S.R)  =  x  -  V(S.R)  =  V'(7\/?)))] 

In  other  words,  two  traces  are  equivalent  just  in  case  they  agree  on  (i)  present  and  future  legality, 
and  (ii)  all  future  return  values.  Intuitively,  two  traces  are  equivalent  provided  that  they  place  the 
module  in  the  same  “state”  as  far  as  the  user  can  tell. 

2  The  extended  trace  specification  language 

McLean’s  extended  trace  semantics  is  defined  on  a  simple  programming  language  that  permits 
variable  assignment,  sequencing,  while  do,  and  if  then  else.  The  extended  trace  language  itself  is 
very  much  like  the  trace  specification  language,  except  that  in  addition  to  procedure  call  variables 
R  and  T,  with  and  without  subscripts,  we  have  program  statement  variables  S,  with  and  without 
subscripts.  In  addition,  the  value  function  V  takes  two  arguments  instead  of  one.  The  first 
argument  is  a  trace  expression,  the  second  a  program  variable  or  Boolean  expression.  McLean’s 
program  semantics  consists  of  a  complete  set  of  axioms  and  rules  for  first-order  logic  with  identity 
and  functions,  together  with  the  following  additional  axioms: 

1.  V(S,  c ) »  e,  for  constant  c. 

2.  V(e,  x)  =  0,  for  any  integer  variable  x.2 

3.  V(S.a  :=»  t,  a)  a  V(S,  /),  for  term  t. 

4.  V{S,  <r(a,  b))  a  <r(V(S,  a),  V(S,  b)),  where  <r  is  an  arithmetical  operation. 

5.  V(S,  crip,  q))  — >  a(V(S.  p),  V(S,  q)),  where  <r  is  a  Boolean  operation.3 

6.  V(S.a  :a  x,  b)  a  V(S,  b),  unless  (i)  h  is  an  expression  containing  a ,  (ii)  b  is  an  array  variable  whose 
index  is  an  expression  containing  a,  or  (iii)  both  a  and  b  are  array  variables  to  the  same  array. 

7.  V{S,  4>)  a  V(S,  0)  —  V(S,  a[<t> ])  a  V(S,  a(0 ]),  where  a  is  an  array. 

8.  V(S,  <t>)  t  V(S,  0)  —  V,(5.u(0]  :a  r,  a[v])  a  V(S,  a[0]),  where  a  is  an  array. 

9.  V(S,  0)  —  V(S.  if  9  then  S\  else  Sz  fi ,  x)  a  V(S.S\ ,  x),  where  x  is  a  program  variable  or  Boolean 
expression  and  where  is  undemood  as  meaning  in  the  latter  case. 

10.  -V'OS, 9)  -*  V(S.  it 9  then  Si  else  Sz  fl.x)  a  V(S.Sz,x),  where  x  is  a  program  variable  or  Boolean 
expression  and  where  ‘a’  is  undemood  as  meaning  ’  in  the  latter  case. 

1 1 .  (acc(S,  So,  T)  A  ->  V(J,  9))  —  V(S.  while  9  do  So  od ,  x)  a  V(S.  if  9  then  while  6  do  So  od  fi .  x),  where  x 
is  a  program  variable  or  Boolean  expression  and  with  ‘=’  understood  as  meaning  ’  in  the  latter 
case. 

12.  V(S.skip,  A  -»  V(S,  t).  for  term  t. 

‘[61.  P-  4. 

^his  axiom  uawtf  that  all  numerical  program  variables  are  initialized  to  0. 

’Note  that  if  p  is  a  formula  or  Boolean  variable,  then  V(S,  o)  is  a  formula.  «"»  a  term. 


The  acc  predicate,  which  is  useful  for  proving  the  correctness  of  programs,  is  defined  by  the 
following  equivalence: 

acc(T,5,/?)  *—  3n/?  =  T.Sn, 

where  S*  is  a  function  that  maps  a  trace  and  an  integer  to  a  trace  and  is  defined  by  the  following 
axioms: 

5°  =  e 
5"+1  =  5". 5 

So,  a  trace  R  is  S-accessible  to  a  trace  T  provided  that  R  is  the  result  of  appending  a  finite  number 
of  occurrences  of  S  onto  T.  A  related  predicate  that  wili  come  in  handy  later  on  is  ext,  defined 
as  follows: 


ext (0,  T,  5,  R)  ~  [acc(T,  S,  R )  a  VX  [facc(7,  S,  X)  a  acc(X,  S.  R)]  -  V(X,  ®)]] 

In  other  words,  R  is  an  S-accessible  ©-extension  of  T  provided  that  R  is  S-accessible  to  T  and  o 
is  uniformly  true  over  every  prefix  of  R  having  the  form  T.S>. 

In  the  programming  language  we  are  considering,  a  program  fails  to  terminate  only  if  one  or 
more  of  its  while  loops  fails  to  terminate.  So  to  prove  that  a  program  halts  we  need  only  prove 
that  its  loops  terminate.  In  general  this  will  involve  considering  a  trace  of  the  form 

R .  while  <t>  do  S  od 


and  proving 


3 T (acc(R. S,  T)  a  ^V{T,0)). 


Unfortunately,  our  use  of  first-order  logic  greatly  limits  our  ability  to  prove  that  programs  ter¬ 
minate.  For  example,  let  P  be  an  extension  of  first-order  logic  containing  the  axioms  of  Peano 
arithmetic  and  the  axioms  of  the  extended  trace  language,  and  consider  the  following  program: 


x  :=  z .  while  x  >  0  do  x  :=  x  -  1  od 


In  order  to  prove  that  this  program  terminates  for  values  of  z  greater  than  0,  we  need  to  prove 
that  P  implies  the  following  form"'.a: 

Vz(z  >  0  —  3T(acc(x  :=  z.x  :=  x  -  1,  T)  a  -i V(T,x  >  0))). 

But  if  M  is  a  nonstandard  model  of  arithmetic  that  satisfies  the  axioms  of  the  extended  trace 
language,  then  M  cannot  satisfy  Vz  (z  >  0  —  3 T (acc(x  :=  z.  x  :=  x  -  1 . 71 A  ->  V(T.  x  >  0))),  since 
M  cannot  satisfy  3T(acc(x  :=  z.x  :=  x-  1,  T)  A  ~'V(T.x  >  0))  for  nonstandard  integer  values  of  z. 
Thus  in  many  cases,  some  of  them  very  simple  cases,  it  will  be  impossible  to  prove  termination 
for  a  program  that  clearly  does  terminate.  In  [l]  Apt  makes  this  same  point  regarding  Hoare 
logic,  and  so,  as  with  Hoare  logic,  the  extended  trace  language  is  more  useful  for  proving  weak 
correctness  than  for  proving  strong  correctness.4 

We  will  refer  to  Axiom  1 1  as  the  cursive  axiom ,  since  it  associates  a  while  statement  with 
an  if-then-else  statement  that  calls  that  same  while  statement  again. 

4  A  program  is  weakly  correct  just  in  case  it  is  correct  if  it  terminates:  a  program  is  strongly  correct  just  in  case  it 
is  weakly  correct  and  also  terminals. 
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3  The  invariance  while  axiom 

3.1  Hoare  logic 

The  semantics  of  while  in  Hoare 's  logic,  by  contrast,  depends  on  the  idea  of  an  invariant.  The 
standard  while  rule  in  Hoare  logic  is  as  follows: 

_ {p*e}S{p} _ 

{ p }  while  e  do  S  od  {/>  A  -> e } 

Proving  a  program  Si ;  while  e  do  S2  od  partially  correct  with  respect  to  a  precondition  p  and 
postcondition  q  normally  involves  shr-wing  that  S\  establishes  an  invariant  r  that  S2  preserves. 
This  means  that  in  order  to  prove  {p }  Si;  while  e  do S2  od  {q}  we  must  prove  the  following,  for 
some  cleverly  chosen  r  {p}  Si,  {r},  {r  a  e}  S2  {/},  (rA  ->e)  -*  q.  From  the  second  of  these 
{r}  while  e  do  S2  od  {r  A  ->e}  follows  by  Hoare ’s  while  rule,  and  this,  together  with  [p]  Si ,  {r} 
implies  by  the  Composition  Rule3  {p }  S\  while<?doS:od  {rA  ^e}.  This  last  formula,  together  with 
(r  a  ~<e)  —  q  implies  the  target  formula  by  the  Consequence  Rule:6  {p}  Si ;  while edoS2  0d  {<7}. 7 

Consider,  for  example,  the  following  program,  which  computes  the  factorial  function  for  input 
r. 

a  :=  1; 
b:-r, 

while  b  /  0  do 
a  :=  ab; 
b  :=>  b  -  1  od; 

end 

In  order  to  prove  this  program  (weakly)  correct,  we  need  to  give  a  Hoare  logic  proof  of  the 
following: 

Proposition  1  {x  >  0}  a  l;b  :*  jt,  while  0  do  a  ■- ab\b  :=  b  -  1  od  {a  ~  x! }. 

Proof:  To  prove  this,  according  to  the  procedure  described  above,  it  suffices  to  prove  each  of 
the  following: 

(1)  {x  >  0}  a  :=  1;  b  :=  x  {r} 

(2)  {rAb*0}a:=ab;b:=b-  1  {/•} 

(3)  (r  A  b  =  0)  —  a  -x\ 

for  suitably  chosen  r.  Let  r  be  the  formula  a  ~  xl/bl.  Obviously  (3)  holds,  since  0!  =  1,  so 
consider  (1):  by  the  Assignment  Axiom8  and  the  Consequence  Rule  it  follows  that 


5[1J.  P-  433. 

‘[1],  p.  434. 

7See  [1],  pp.  433-436. 
•m.  p-433. 


{x>0}a:=l{x>  0  a  a  -  x! /x\ } 


holds.  Also,  again  by  the  Assignment  Axiom  and  the  Consequence  Rule,  we  have  that 


[x  >  0  A  a  -  x'./x'.}  b  :=  x  {a  =  x\/b\}. 

Hence,  using  the  Composition  Rule,  it  follows  that  (1)  holds,  i.e.  that 

{x  >  0}  a  :=  1;  b  :=  x  {a  =  x!/b!} 

holds.  Finally,  consider  (2):  we  can  use  the  Assignment  Axiom  and  Consequence  Rule  to  conclude 
both 

{ab  »  x'./(b  -  1)1}  a  ab{a  =x!/(b  -  1)!} 

and 

{a  =  xl/(b  -  1)!}  b  :=  b  -  1  {a  =  *!/&!}, 
from  which  it  follows  by  the  Composition  Rule  that 

{ab  =  xl/(b  -  1)!}  a:=ab;b:=b-  1  { a  =  x'./b !} 


holds,  from  which  it  follows  by  the  Consequence  Rule  that 

{a  -  x'./bl  a  b  ^  0}  a  ab\b  b  -  I  {a  =  xi/bl} 

holds,  which  is  to  say  that  (2)  holds,  as  required.  | 

Let’s  refer  to  the  program  in  the  preceding  example  as  the  Factorial  Program.  For  the  sake 
of  the  exposition,  I  will  use  it  to  illustrate  the  alternative  semantic  treatments  of  while  presented 
here.9 

3.2  The  axiom  of  invariance  for  while 

The  extended  trace  language  permits  the  formulation  of  a  while  axiom  based  on  the  idea  of  an 
invariant: 

(acc(r,5,  T)A-'V(T,  ip)]  — »  Vfl  \[V(R,pA6)Aextt4,  T.  S.  R)]  —  V(R.S, /?)]  —  ,  V(T.  p)  —  V{  f.  whlleodoSod . pA^v) 

This  axiom  states  that  if  the  truth  of  the  invariant  p  is  preserved  whenever  S  is  executed  on  a 
trace  in  which  both  p  and  the  loop  condition  <t>  hold  and  which  is  an  S-accessible  ©-extension  of 
a  trace  T,  then  if  p  is  true  at  T,  then  p  is  also  true  at  T.  while  o  do  S  od .  unless  this  loop  does  not 
terminate. 

Now  let’s  prove  the  Factorial  Program  correct  using  the  extended  trace  language  (as  modified 
to  include  the  axiom  of  invariance  instead  of  the  recursive  while  axiom).  We  wish  to  derive: 

Proposition  2  37’  [acc (a  :=  l.b  :=  x,  a  :=  ab.b  :=  b  -  1,  V)  A  -> V(T.  b  #  0)]  —  .x  >  0  —  ,V(a  := 
l.b  x.  while  b  0  do  a  :=  ab.b  :=  b  -  1  od .  a  =  x!). 

Proof:  In  order  to  use  the  axiom  of  invariance,  we  need  two  lemmas.  (We  use  the  same  invariant 
as  was  used  above  in  the  Hoare  logic  correctness  proof.)  One  of  these  lemmas  is  trivial,  namely 

(LI)  x  >  0  —  V(a  :=  l.b  :=  x.a  =  x!/b!), 

’I  will  not  here  present  an  extended  trace  language  correctness  proof  of  the  Factorial  Program  using  the  recursive 
axiom  for  while,  since  McLean  does  this  (using  essentially  the  same  specification)  in  [6] . 
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which  follows  from  extended  trace  language  axioms  3,  4,  and  5.  The  other  lemma  is  this: 

(L 2)  x>0  —  *R[[V(R,a  =  xl/b'.Ab?0)/\cxt(b?0,a:=  Ub  :=  x.a  :=  ab\b  :=  b  -  1 ./?)]  - 
V(R.a  :=  ab.b  :-b  -  1,  a  =  x’./bl) ] . 

Let  R  be  given  such  that  ext(b  0,  a  :=  l.b  :=  x,  <2  :=  ab.b  :=b-  1,  R).  It  follows  that 

V(R,  a  =  xl/bl  a  b  +  0)  =>  V(R ,  ab  =  x.'/(h  —  1)!  A  A  ^  0) 

=>  V(R.a  :=  ab,  a  -  x! / (h  -  1)!  A  b  >  1)  by  axioms  3,4,5; 

=>  V(/?.a  :=  ah.i  :=  b  -  1  ,a  =  xl/b)l  A  h  >  1)  by  axioms  3,4,5. 

This  completes  the  proof  of  (L2).  (LI)  and  (L2),  together  with  our  hypothesis  and  the  invariance 
axiom  imply: 

37*  [acc(a  :=  l.b  :=  x,u  :=  oh.b  :=  b  —  1, 7*)  A  ^(7*,^  /  0)]  -  .x  >  0  -  .V(a  :=  1  \b  := 
r,  while  b  0  do  a  :=  ab.b  b-  1  od ,  a  =  x!/b  a  b  =  0), 

which  by  arithmetic  implies  the  desired  result,  namely: 

37* [acc(a  :=  l.b  :=  x,a  :=  ab.b  b  -  1,7*)  a  ^V(7*,b  ^  0)]  -  .x  >  0  -  .V(a  :=  l;b  .= 
x,  while  b  ^  0  do  a  :=  ab.b  :=  b  -  1  od ,  a  =  x!).  | 

Notice  that,  unlike  the  recursive  semantics  for  while,  this  invariance-based  semantic  treatment 
of  while  does  not  seem  to  require  us  to  use  mathematical  induction  to  prove  the  correctness  of 
the  Factorial  Program.10  Like  all  good  things,  however,  this  feature  must  be  paid  for  we  will 
use  induction  to  prove  that  the  recursive  axiom  implies  the  invariance  axiom  (sec  Lemma  2  in 
section  5  below). 

4  The  precise  count  while  axiom 

In  this  section  we  consider  a  third  and  somewhat  different  semantics  for  while. 


h  V'CT’-S",  0)  A  Vjfc  [0  <  k  <  n  -  V(T.Sk,  0)]  -  V(T.  while  o  do  S  od  .  x)  =  V(T.Sn.x) 

That  is,  if,  starting  at  T,  0  first  becomes  false  after  n  iterations  of  S,  then  T.5"  is  simply  equivalent 
to  T.  while  0  do  5  od .  Like  the  invariance  axiom  (and  unlike  the  recursive  axiom)  the  precise 
count  axiom  has  the  following  property:  one  must  choose  carefully  which  of  its  instances  to  use. 
In  particular,  one  must  find  or  correctly  guess  how  many  times  the  loop  will  iterate  in  order  to  use 
this  axiom.  In  some  cases  where  this  is  easy  to  guess,  this  axiom  could  make  the  proof  somewhat 
simpler.  For  illustration,  consider  once  again  the  Factorial  Program.  We  wish  to  prove: 

Proportion  3  37*  (acc(a  :=  l.b  :=  x.a  :=  ab.b  b  -  1,  T)  a  -iV(T.  0)]  —  .x  >  0  —  .V(a  := 
1;  b  :*  x;  while  b^Odoa-  ab.b  b  -  l  od ,  a)  =  x!. 

Proof:  Let  37*  [acc(a  :=  \.b  :=x,  a  :=  ab.b  -  b-  1. 7*),  ^V{T ,b  ^  0),  and  x  >  0  all  hold.  Let 
R  be  the  shortest  7*  satisfying  the  first  assumption,  and  let  n  be  the  number  of  iterations  of  the 
loop  a  ab.b  :=  b  -  1  in  R.  We  will  show  that  n  =  x,  i.e.  that  x  satisfies  the  hypothesis  of  the 
precise  count  axiom. 

10I  conjecture  that  the  recursive  semantics  in  [6]  does  in  fact  require  the  use  of  induction.  An  examination  of 
McLean’s  correctness  proof  on  psge  7  of  [6]  provides  some  evidence  for  this  conjecture. 
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First  we  need  to  show  that  ~'V(a  :=  1  .b  :=  x.(a  :=  ab.b  :=  b  -  1  Y.b  *  0),  i.e.  V(a  :=  \.b  := 
x.(a  :=  ab.b  :=  A  -  l)*,b)  =  0.  We  show  this  by  giving  a  proof  by  induction  of  the  following 
identity: 

(L3)  V(a  :=  l.b  :=  x(a  :=  ab.b  :=  b  -  1)*,  b)  =  x  -  t. 

Proof-of-<L3):  Since  V(a  :=  l.b  :=  x.  b)  =  x,  we  have  the  basis  case.  Suppose  that  the  identity 
holds  for  k  <  m,  and  let  k  -  m  +  1.  Then 

V(a  :=*  l.b  :=x.(a  :=  ab.b  :=  b  -  l)"**1,  b)  =  V(a  :*  l.b  :=x.(a  :=  ab.b  :=  b-  l)".a  :=  ab.  b  -  1)  by  axiom 

=  V(a  :»  l.b  :=  x.(a  :=  ab.b  :=  b  -  l)"*.  b  -  1)  by  axiom  6; 

a  V(a  :=  l.b  :=  x.(a  :=  ab.b  :=  b  —  l)",  b)  -  1  by  axiom  4; 

=  (x  -  m)  -  1  by  inductive  hypothesis: 

=  x  -  (m  +  1)  as  required. 

This  completes  the  proof  of  (L3).  Note  that  (L3)  implies: 

V(a  :=  l.b  :=  x.(a  :=  ab.b  :=  b  -  1)*, b)  =  x  -  x  =  0, 

which  establishes  the  first  conjunct  of  the  antecedent  of  the  precise  count  axiom.  To  establish  the 
second  conjunct,  we  need  to  show: 

VJfc[0<  k<x  —  V(a:=  l.b  :=x(a  :=  ab.b  :=  b  -  l)*.b^0)]. 

But  this  also  follows  from  the  (L3),  since  k  <  x  implies  x  -  k  £  0. 

Having  established  both  conjuncts  of  the  antecedent  of  the  precise  count  axiom  we  now  must 
show  that  the  following  holds: 

(L4)  0  <  y  <  x  —  V(a  :=  l.b  :=  x(a  :=  ab.b  b  -  ly,  a)  =  x'./(x  -  y)!. 

Proof-of-(L4):  Again  we  proceed  by  induction.  Assume  0  <  y  <  x.  Qeariy  V(a  :=  l.b  := 
x.  a)  =  1  =  x!/(x  -  0)!,  so  the  basis  case  holds.  Now  suppose  (L4)  holds  for  y  <  k.  and  consider 
the  case  where  y-  k+ 1.  We  reason  as  follows:  we  have  V(a  :=  l.b  :=  x.(a  :=  ab.b  :=  b-  1)*.  a)  - 
x\/(x  -  it)!  by  the  inductive  hypothesis,  and  V(a  :=  l.b  :=  x.(a  :=  ab.b  :=  b  -  1)*.  b)  -  x  -  k 
by  (L3).  Thus  V(a  l.b  :=  x.(a  ab.b  b  —  1  )*.a  =  x!/(x  —  k)\),  which  in  turn  implies 
V(a  :=  l.b  :=  x.(a  :=  ab.b  :=  b  -  1)*,  ab  =  [x!/(x  -  t)! ](x  -  k))  oy  axioms  4  and  5.  This  implies 

that  V(a  l.b  :=  x.(a  ab.b  b  -  1)*,  ab  =  x\/{x  -  (k  +  1)!)  holds,  since  x  >  k,  which  holds 

because  x  >  y  =  k  +  \.  Thus  V(a  :=  l.b  :=  x.(a  :=  ab.b  :=  b  -  1  )k.ab)  =  x!/(x  -  (&*  1))!  holds, 
which  implies  by  axiom  3  that  V{a  :=  l.b  :=  x.(a  :=  ab.b  -  b-  l)*.a  :=  ab.a )  =  x!/(x  -  (k+  1))! 
holds.  Consequently  we  have 

V(a  :*  l.b  :*  x.(a :»  ab.b  :=  b  -  l)**1,  a)  =  V(a  :=  l.b  :=  x.(a  :=  ab.b  :=  b  -  l)*.a  :=  ab  b  :=  b  -  1.  a) 

=  V(a  :=  l.b  :=  x.(a  :=  ab.b  :=  b  -  1)*  a  :=  ab.  a)  by  axiom  6; 

=  x!/(x-(*+l))!, 

as  required.  This  completes  the  proof  of  (L4).  Now,  at  last,  we  can  derive  our  main  conclusion 
using  the  precise  count  axiom  itself. 

V(a  :*  l.b  :=  x.  while  b  #  Odoa  :=  ab.b  :=  b  -  1  od .  a)  =  V(a  :=  l.b  :=  x.(a  ab.b  :=  b  -  l)1  a) 

=  x!  by  (L4) 

This  completes  our  correctness  proof  for  the  Factorial  Program  using  the  precise  count  axiom.  | 
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5  Equivalence  of  the  three  axioms 

As  one  would  hope,  we  can  prove  that  our  three  trace  axioms  for  the  while  construct  are  equivalent. 
The  three  axioms,  once  again,  are  as  follows: 

(a)  [-V(T.S*,  ©)  A  V*(0  <  *  <  »  —  V(T.S *,  ©)]  —  V(T.  while  <t>  do  S  ad ,  x)  =  V(T.S ",  x) 

(b)  (acc(S,  So,  T)  A  ->V'(7y,  ©))  —  V(S.  white  ©  do  So  od ,  x)  =  V(S.  If  ©  then  So.  white  ©  do  So  od  8  ,  x) 

(c)  [acc(r,S,r)A^V(r,©)]  —  .Vl?[(V(*,pA©)Aext<«,  r,S,/?)l—  VW.S.p)]  —  -V(T,p)~  V<J.  while©  doSod.pA 

where  x  is  a  program  variable  or  Boolean  expression,  with  *=’  understood  as  meaning  —  in  the 
latter  case.  The  first  lemma  we  need  is: 

Lemma  1  Axiom  (a),  the  precise  count  axiom,  implies  Axiom  (b),  the  recursive  axiom. 

Proof:  Suppose  that  (a)  holds  and  suppose  that  acc(S,  So,  T)a-iV(T,  <j>)  holds.  By  the  definition 
of  acc,  let  n  be  the  smallest  ti  such  that  n!  >  Oa^ V(T.S*‘ .  o)  holds.  Hence  V(T.  whilecdoSod , x)  = 
V(T.S ",  x).  There  are  two  cases. 

Case  1:  If  n  -  0,  then  -<V(T.4>)  holds,  and  we  also  have 

V(T.  while  <t>  do  S  od ,  x)  =  V(J.  x)  by  Axiom  (a); 

*  V(if©  then  S.  while  ©  do  Sod  fi ,  x)  by  Axiom  10; 

Case  2:  If  n  >  0,  then  we  have  V(T,  <©);  note  that  n  -  1  is  the  smallest  n'  such  that  ri  > 
0  a  -iVfr.S.S  *',<©)  holds.  This  gives  us 

V(T.  while ©  do S od , x)  *  V(T.S.S*~ Lx)  by  Axiom  (a); 

=  V(T.S.  while  ©  do  Sod  by  Axiom  (a); 

=  V(T.  if  <i>  then  S.  while  ©  do  S  od  fi .  x)  by  Axiom  9. 

So  in  either  case,  V(T.  while  0  do  S  od .  x)  =  V(T.  if  0  then  S.  while  o  do  S  od  fi ,  x),  as  required,  l 

Lemma  2  Axiom  (b)  implies  Axiom  (c),  the  invariance  axiom. 

Proof:  Suppose  that  (b)  holds  and  suppose  that 

(i)  acc(T,  5, 7*)  A  ->  V(T ,  <j>) 

(ii)  V/?  {[V(R,p  A  0)  A  ext(<5,  T.  S.  R)]  -  V(R.S.p)} .  and 

(Hi)  V(T,p) 

also  hold.  We  need  to  show  that  V(T.  while  o  do  Sod  ,p  a  -> 0 )  holds,  as  well.  By  the  definition 
of  acc  we  know  that  3 rt  [n'  >  0  A  ->V{T.S^ .  ©)].  Let  n  be  the  smallest  such  n! .  The  proof  will  be 
by  induction  on  the  value  of  n. 

Basis  Case:  Let  n  =  0.  Hence  -<V( T.0)  holds,  and  so 

V(T.  while  0  do  S  od .  p  a  -0)  <=>  V(T.  if©  then  S.  while©  do  Sod  fi  .p  a  -e  by  (a); 

<=>  V(T  skip,  p  a  -'©J  by  axiom  10: 

<=>  V(T,  p  a  -©)  by  axiom  12, 

but  V(T, p  A  -’<©)  is  true  by  hypothesis,  so  V(T.  while  0  do  S od  ,p  A  -'©)  is  true,  as  required. 
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Inductive  Step :  Suppose  that  Axiom  (b)  implies  Axiom  (c)  for  all  values  k  such  that  0  <  k  <  n, 
where  n  >  0.  We  show  that  this  implication  holds  for  n  +  1,  as  well. 

Since  n  >  0,  we  know  that  V(T,0)  holds,  which  together  with  (iii)  implies  that  V(T.p  a  o) 
holds.  Since,  in  addition,  we  know  that  acc (T.S.T),  it  follows  by  (ii)  that  V(T.S,o)  holds.  Since 
n  >  0  we  also  know  that  acc (T.S,  S.  T)  holds,  too.  In  particular,  n  is  the  smallest  nl  such  that 
n‘  >  0A  -<V(T.S.S*,<t>) 

Note  that  (ii)  implies  VR  [[V(I?,0  A  0)  A  ext (<p,T.S.S.R)]  —  V(l?.S,p)].  Since  V(T.o )  and 
V(T.p)  both  hold,  it  also  follows  from  (ii)  that  V(T.S,p)  holds. 

Thus  we  have 

V(J.  while  <s  do  S  od  ,  p  a  -> 0 )  <=>  V(T.  if  0  then  S.  while  o  do  S  od  fi.pA  ->©)  by  (a); 

<=>  V(T.S.  while  0  do  S  od .  p  a  -mj>)  by  axiom  9; 

but,  by  the  inductive  hypothesis,  V(T.S.  while  0  do  S  od  ,p  a  -> 0 )  is  true,  since  acc (T.S.S.  T)  a 
-*V(T,  <t>).  Vfl  [[V(R,p  A  0)  A  ext(<x>,  T.S.S.  1?)]  —  V(/?.S./>)],  and  V(T.S.p)  ail  hold.  Hence 

V(T.  while  0  do  S  od ,  p  a  ->©) 

holds  as  required.  | 

Lemma  3  Axiom  (c)  implies  Axiom  (a) 

Proof:  Suppose  that  (c)  holds,  and  let  n  be  such  that  ~'V(T.SK,  0)  a  ¥i[0  <  k  <  n  — 
V(T.S*.  0)]  holds.  Let  y  =  V(T.S*,x),  and  let  p  be  the  formula  0  V  x  =  y.  We  will  show 
that  V(T.  while  0  do  S  od ,  x)  =  y  by  first  showing  V(T.  while  0  do  S  od  ,p  A  -><&),  and  to  show 
this  it  suffices  (by  axiom  (c))  to  show  that  (i)  [acc(r.S.r)  A  ->V(T*,o)],  (ii)  V/?  [[V(/?.(©  V  x  = 
y)  a  d>)A  ext(0,  T.S.  /?)]  —  V(R.S .  (<t>v x  =  y))] ,  and  (iii)  V(T,  (<pv  x  =  y)).  Now,  (i)  and  (iii)  follow 
straightforwardly  from  our  hypothesis.  Let  us  then  examine  (ii). 

Let  R  be  such  that  V(R,  v  x  =  y)  A  0)  A  ext(d>.  T.  S.  R).  Since  0  entails  (0  V  x  =  y),  this  is 
equivalent  to  V(R.  0)  A  ext(0,  T.  S.  R).  It  follows  that  R  has  the  form  T.Sk  for  some  k  such  that 
0  <  k  <  n,  since  otherwise  (by  hypothesis)  0  would  not  be  uniformly  true  over  the  S-extensions 
of  T  that  are  prefixes  of  R.  There  are  two  cases: 

Cos-  1\  If  k  =  n  -  I,  then  by  hypothesis 

V(R.S,  V  x  »  y»  <=»  V(T.Sn~ 1  ,S,  (0  v  x  =  y)) 

<=*  V(T  S\  (0  v  x  =  y)), 

but  V(T.^,  (0  V  x  *  y))  is  true,  since  V’(T.S",  x  =  y)  holds,  and  so  V(/?.S.  (ovi  =  y))  is  true,  as 
well. 

Case  2:  If  k  <  n—  1,  then  V(7.S**',0)  holds,  since  k+  1  <  n.  and 

V{R.S,  (<t>  V  X  =  y))  =  VfT.S*  S.  (<?  v  x  =  y)) 

=  V(T.S**1 .  (<p  v  x  *  y)), 

but  V(T.Sm  ,  (0  V  r  =  y))  is  true,  smee  V'fT.J**1 . 0)  holds,  and  so  V(R.S.  (0  v  x  =  y))  is  true,  as 
well. 

This  suPces  to  establish  (ii),  and  hence,  by  (c),  (i),  (ii),  and  (iii)  we  have  V(T.  whileodoSod .  (ov 
x  =  y)  A  -i0),  which  implies  V(T.  while  0  do  S  od  ,  x  =  y),  which  implies  V(T.  while  0  do  S  od .  x)  = 
V(T.S*.  x),  as  required.  | 

Theorem  I  Axioms  (a),  (b),  and  (c)  are  equivalent. 

Proof:  By  Lemmas  1,  2,  3.  | 
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